IT Security

Deloitte a firm known worldwide as part of the “big four” of accountancy has become the victim of a hack that has affected emails for some of their biggest clients. Deloitte is also a firm that, five years ago, was ranked the best big four company for cyber security.

No one knew

The London registered firm, with a reported revenue of £27.3bn last year became the victim of an attack that was left unnoticed for months. The hack was discovered in March this year, yet the hacker(s) may have had access since October 2016.

The attack

All emails sent to Deloitte’s 200,000 plus staff are stored on an Azure cloud service. The global email server was compromised by hacker(s) finding an administrator account with unrestricted access to all areas. It would also appear that this account worked on a single password basis and didn’t have two factor authentication applied.

Who was affected

Other than the obvious victims Deloitte has also informed at least six of its major clients that the breach has impacted them.

Amongst the possible 5 million emails on the server it is understood that the hacker(s) may also have had access to sensitive network information and credentials. There would also have been some emails that contained attachments which included sensitive information.

Seriousness of the incident

Deloitte took this incident very seriously when it when first came to light with reportedly only a select few most senior partners and lawyers being told about the issue. Another point highlighting the seriousness came on April 27th when Deloitte hired Hogan Lovells, an international law firm, to review the possible incident.

What have Deloitte had to say

A Deloitte spokesman has come out with the following “In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte.”

“Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested”